It's not hard to find instructions on how to fix these problems, for instance by asking for the new keys with apt-key adv --recv-keys or rebuilding the cache; so I'm not asking about how to fix these.

But why is this the right thing to do? Why is "oh, I need new keys? Cool, go get new keys" not just defeating the purpose of having a signed repository in the first place? Are the keys signed by a master key that apt-key checks? Should we be doing some additional validation to ensure that we're getting legitimate keys?

That doesn't mean you shouldn't manually add the keys, but only if you know how to check if the keys are valid. Some ways of checking the integrity of the package / validity of the key:

Cross checking if the GPG key is already listed in releases.gpg file. If it already is available, you can be rest assured that the key is secure because only the keys of trusted developers are included in the releases.gpg file.

install debsig-verify package (manpage for the debsig-verify command ). It automatically verifies the source and the validity of the Debian package itself. Though, you might run into weird problems from time to time since debsig-verify checks for signatures embedded inside of Debian packages, something that is not widely practised since the advent of secure-apt.

So, the accepted solution at What is the easiest way to resolve apt-get BADSIG GPG errors? is not exactly recommended nor secure for the average Joe, as he would probably have neither the time, patience or awareness to check if the solution is secure enough for him. Instead, the second answer on that question should be recommended for its simplicity and a more guaranteed security.